-
Notifications
You must be signed in to change notification settings - Fork 364
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
120 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -418,19 +418,6 @@ | |
|
||
MEDIA_URL = "/media/" # unused but needs to be different from STATIC_URL in django 3 | ||
|
||
# CORS settings | ||
|
||
CORS_ORIGIN_ALLOW_ALL = True | ||
FLAGSMITH_CORS_EXTRA_ALLOW_HEADERS = env.list( | ||
"FLAGSMITH_CORS_EXTRA_ALLOW_HEADERS", default=["sentry-trace"] | ||
) | ||
CORS_ALLOW_HEADERS = [ | ||
*default_headers, | ||
*FLAGSMITH_CORS_EXTRA_ALLOW_HEADERS, | ||
"X-Environment-Key", | ||
"X-E2E-Test-Auth-Token", | ||
] | ||
|
||
DEFAULT_FROM_EMAIL = env("SENDER_EMAIL", default="[email protected]") | ||
EMAIL_CONFIGURATION = { | ||
# Invitations with name is anticipated to take two arguments. The persons name and the | ||
|
@@ -1046,6 +1033,21 @@ | |
USE_SECURE_COOKIES = env.bool("USE_SECURE_COOKIES", default=True) | ||
COOKIE_SAME_SITE = env.str("COOKIE_SAME_SITE", default="none") | ||
|
||
# CORS settings | ||
|
||
CORS_ORIGIN_ALLOW_ALL = env.bool("CORS_ORIGIN_ALLOW_ALL", not COOKIE_AUTH_ENABLED) | ||
CORS_ALLOW_CREDENTIALS = env.bool("CORS_ALLOW_CREDENTIALS", COOKIE_AUTH_ENABLED) | ||
FLAGSMITH_CORS_EXTRA_ALLOW_HEADERS = env.list( | ||
"FLAGSMITH_CORS_EXTRA_ALLOW_HEADERS", default=["sentry-trace"] | ||
) | ||
CORS_ALLOWED_ORIGINS = env.list("CORS_ALLOWED_ORIGINS", default=[]) | ||
CORS_ALLOW_HEADERS = [ | ||
*default_headers, | ||
*FLAGSMITH_CORS_EXTRA_ALLOW_HEADERS, | ||
"X-Environment-Key", | ||
"X-E2E-Test-Auth-Token", | ||
] | ||
|
||
# use a separate boolean setting so that we add it to the API containers in environments | ||
# where we're running the task processor, so we avoid creating unnecessary tasks | ||
ENABLE_PIPEDRIVE_LEAD_TRACKING = env.bool("ENABLE_PIPEDRIVE_LEAD_TRACKING", False) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
from typing import Any | ||
from urllib.parse import urlparse | ||
|
||
from core.helpers import get_current_site_url | ||
from corsheaders.signals import check_request_enabled | ||
from django.dispatch import receiver | ||
from django.http import HttpRequest | ||
|
||
|
||
@receiver(check_request_enabled) | ||
def cors_allow_current_site(request: HttpRequest, **kwargs: Any) -> bool: | ||
# The signal is expected to only be dispatched: | ||
# - When `settings.CORS_ORIGIN_ALLOW_ALL` is set to `False`. | ||
# - For requests with `HTTP_ORIGIN` set. | ||
origin_url = urlparse(request.META["HTTP_ORIGIN"]) | ||
current_site_url = urlparse(get_current_site_url(request)) | ||
return ( | ||
origin_url.scheme == current_site_url.scheme | ||
and origin_url.netloc == current_site_url.netloc | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -408,6 +408,44 @@ def test_login_workflow__jwt_cookie__mfa_enabled( | |
assert not response.data | ||
|
||
|
||
# In the real world, setting `COOKIE_AUTH_ENABLED` to `True` | ||
# changes default CORS setting values. | ||
# Due to how Django settings are loaded for tests, | ||
# we have to override CORS settings manually. | ||
@override_settings( | ||
COOKIE_AUTH_ENABLED=True, | ||
DOMAIN_OVERRIDE="testhost.com", | ||
CORS_ORIGIN_ALLOW_ALL=False, | ||
CORS_ALLOW_CREDENTIALS=True, | ||
) | ||
def test_login_workflow__jwt_cookie__cors_headers_expected( | ||
db: None, | ||
api_client: APIClient, | ||
) -> None: | ||
# Given | ||
email = "[email protected]" | ||
password = FFAdminUser.objects.make_random_password() | ||
register_url = reverse("api-v1:custom_auth:ffadminuser-list") | ||
protected_resource_url = reverse("api-v1:projects:project-list") | ||
register_data = { | ||
"first_name": "test", | ||
"last_name": "last_name", | ||
"email": email, | ||
"password": password, | ||
"re_password": password, | ||
} | ||
api_client.post(register_url, data=register_data) | ||
|
||
# When | ||
response = api_client.get( | ||
protected_resource_url, | ||
HTTP_ORIGIN="http://testhost.com", | ||
) | ||
|
||
# Then | ||
assert response.headers["Access-Control-Allow-Origin"] == "http://testhost.com" | ||
|
||
|
||
def test_throttle_login_workflows( | ||
api_client: APIClient, | ||
db: None, | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters